rpms/grub2
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

[security][HIGH] grub2 2.12: 6 CVE require triage #1

New issue
Closed
opened 2026-05-25 20:44:28 +03:00 by sbelikov · 1 comment
sbelikov commented 2026-05-25 20:44:28 +03:00
Owner
Copy link

CVE triage request / Запрос на разбор CVE

Package / Пакет

  • Package: grub2
  • Version: 2.12
  • EVR: 2.12-1
  • Category: -
  • Policy class: -
  • NiceOS policy class: -
  • Owner: -
  • Severity: HIGH
  • Max CVSS: 8.8
  • CVE count: 6
  • Included NiceOS statuses: needs_triage
  • Included match types: cpe-range

LLM recommendation / Рекомендация LLM

RU

Для пакета grub2 2.12 найдены CVE-кандидаты по данным NVD/CPE: CVE-2024-45782, CVE-2024-56737, CVE-2025-0678, CVE-2025-0689, CVE-2025-1125, CVE-2025-61662. Требуется triage security-team.

Проверить применимость CVE к сборке НАЙС.ОС, сопоставить с upstream/vendor advisory, определить статус affected/fixed/not_affected и при необходимости подготовить обновление пакета.

Рекомендуемое действие: needs_triage

Подсказка по целевой версии: -

Проверки: Проверить сборку RPM, обновление пакета, совместимость зависимостей, service/CLI smoke tests и регрессионные сценарии по классу пакета.

Риски: Автоматическое совпадение NVD/CPE не является финальным вердиктом по НАЙС.ОС.

EN

NVD/CPE candidate CVEs were found for grub2 2.12: CVE-2024-45782, CVE-2024-56737, CVE-2025-0678, CVE-2025-0689, CVE-2025-1125, CVE-2025-61662. Security-team triage is required.

Verify CVE applicability to the NiceOS build, compare with upstream/vendor advisories, set affected/fixed/not_affected status, and prepare a package update if required.

Recommended action: needs_triage

Target version hint: -

Tests: Run RPM build, package upgrade, dependency compatibility, service/CLI smoke tests, and package-class-specific regression tests.

Risks: An automatic NVD/CPE match is not the final NiceOS vulnerability verdict.

CVE candidates from NVD/CPE

CVE Severity CVSS Match Confidence NiceOS status Fixed in Existing issue Reason
CVE-2024-56737 HIGH 8.8 cpe-range 80 needs_triage package version is inside version range
CVE-2024-45782 HIGH 7.8 cpe-range 80 needs_triage package version is inside version range
CVE-2025-0678 HIGH 7.8 cpe-range 80 needs_triage package version is inside version range
CVE-2025-0689 HIGH 7.8 cpe-range 80 needs_triage package version is inside version range
CVE-2025-1125 HIGH 7.8 cpe-range 80 needs_triage package version is inside version range
CVE-2025-61662 HIGH 7.8 cpe-range 80 needs_triage package version is inside version range

Descriptions

CVE-2024-56737

GNU GRUB (aka GRUB2) through 2.12 has a heap-based buffer overflow in fs/hfs.c via crafted sblock data in an HFS filesystem.

CVE-2024-45782

A flaw was found in the HFS filesystem. When reading an HFS volume's name at grub_fs_mount(), the HFS filesystem driver performs a strcpy() using the user-provided volume name as input without properly validating the volume name's length. This issue may read to a heap-based out-of-bounds writer, impacting grub's sensitive data integrity and eventually leading to a secure boot protection bypass.

CVE-2025-0678

A flaw was found in grub2. When reading data from a squash4 filesystem, grub's squash4 fs module uses user-controlled parameters from the filesystem geometry to determine the internal buffer size, however, it improperly checks for integer overflows. A maliciously crafted filesystem may lead some of those buffer size calculations to overflow, causing it to perform a grub_malloc() operation with a smaller size than expected. As a result, the direct_read() will perform a heap based out-of-bounds write during data reading. This flaw may be leveraged to corrupt grub's internal critical data and may result in arbitrary code execution, by-passing secure boot protections.

CVE-2025-0689

When reading data from disk, the grub's UDF filesystem module utilizes the user controlled data length metadata to allocate its internal buffers. In certain scenarios, while iterating through disk sectors, it assumes the read size from the disk is always smaller than the allocated buffer size which is not guaranteed. A crafted filesystem image may lead to a heap-based buffer overflow resulting in critical data to be corrupted, resulting in the risk of arbitrary code execution by-passing secure boot protections.

CVE-2025-1125

When reading data from a hfs filesystem, grub's hfs filesystem module uses user-controlled parameters from the filesystem metadata to calculate the internal buffers size, however it misses to properly check for integer overflows. A maliciouly crafted filesystem may lead some of those buffer size calculation to overflow, causing it to perform a grub_malloc() operation with a smaller size than expected. As a result the hfsplus_open_compressed_real() function will write past of the internal buffer length. This flaw may be leveraged to corrupt grub's internal critical data and may result in arbitrary code execution by-passing secure boot protections.

CVE-2025-61662

A Use-After-Free vulnerability has been discovered in GRUB's gettext module. This flaw stems from a programming error where the gettext command remains registered in memory after its module is unloaded. An attacker can exploit this condition by invoking the orphaned command, causing the application to access a memory location that is no longer valid. An attacker could exploit this vulnerability to cause grub to crash, leading to a Denial of Service. Possible data integrity or confidentiality compromise is not discarded.

Scanner integration / Интеграция со сканером

This issue was generated from niceos_cve_matches after the SPEC/Forgejo evidence pass.
After real creation, this script writes forgejo_issue_open rows into niceos_cve_evidence and marks the selected CVE rows as issue_open, so the next scanner/creator run does not duplicate the issue.

Maintainer checklist

  • Verify whether each CVE applies to the NiceOS build.
  • Compare NVD data with upstream/vendor advisory.
  • Set final NiceOS status: affected, fixed, not_affected, false_positive, deferred, or not_in_cloud_image.
  • If affected, decide update/backport strategy according to package policy class.
  • Run package-class-specific build, upgrade and regression tests.
  • Add/update niceos_cve_triage entry.
  • Create NICE-SA advisory if a security update is shipped.

Machine metadata

{
  "cves": [
    "CVE-2024-45782",
    "CVE-2024-56737",
    "CVE-2025-0678",
    "CVE-2025-0689",
    "CVE-2025-1125",
    "CVE-2025-61662"
  ],
  "fingerprint": "59491e4070f5e82b6f36",
  "generated_at": "2026-05-25T17:44:27Z",
  "match_ids": [
    1372,
    1378,
    1379,
    1380,
    1381,
    1385
  ],
  "match_types": [
    "cpe-range"
  ],
  "package": "grub2",
  "prompt_version": "niceos_cve_issue_analysis_v2",
  "statuses": [
    "needs_triage"
  ],
  "tool": "niceos_cve_create_issues.py",
  "tool_version": "2.0",
  "version": "2.12"
}
<!-- niceos-cve-fingerprint: 59491e4070f5e82b6f36 --> <!-- niceos-cve-package: grub2 --> <!-- niceos-cve-cves: CVE-2024-45782, CVE-2024-56737, CVE-2025-0678, CVE-2025-0689, CVE-2025-1125, CVE-2025-61662 --> <!-- niceos-cve-source: niceos_cve_scan_packages_auto_cpe --> # CVE triage request / Запрос на разбор CVE ## Package / Пакет - Package: `grub2` - Version: `2.12` - EVR: `2.12-1` - Category: `-` - Policy class: `-` - NiceOS policy class: `-` - Owner: `-` - Severity: `HIGH` - Max CVSS: `8.8` - CVE count: `6` - Included NiceOS statuses: `needs_triage` - Included match types: `cpe-range` ## LLM recommendation / Рекомендация LLM ### RU Для пакета grub2 2.12 найдены CVE-кандидаты по данным NVD/CPE: CVE-2024-45782, CVE-2024-56737, CVE-2025-0678, CVE-2025-0689, CVE-2025-1125, CVE-2025-61662. Требуется triage security-team. Проверить применимость CVE к сборке НАЙС.ОС, сопоставить с upstream/vendor advisory, определить статус affected/fixed/not_affected и при необходимости подготовить обновление пакета. **Рекомендуемое действие:** `needs_triage` **Подсказка по целевой версии:** `-` **Проверки:** Проверить сборку RPM, обновление пакета, совместимость зависимостей, service/CLI smoke tests и регрессионные сценарии по классу пакета. **Риски:** Автоматическое совпадение NVD/CPE не является финальным вердиктом по НАЙС.ОС. ### EN NVD/CPE candidate CVEs were found for grub2 2.12: CVE-2024-45782, CVE-2024-56737, CVE-2025-0678, CVE-2025-0689, CVE-2025-1125, CVE-2025-61662. Security-team triage is required. Verify CVE applicability to the NiceOS build, compare with upstream/vendor advisories, set affected/fixed/not_affected status, and prepare a package update if required. **Recommended action:** `needs_triage` **Target version hint:** `-` **Tests:** Run RPM build, package upgrade, dependency compatibility, service/CLI smoke tests, and package-class-specific regression tests. **Risks:** An automatic NVD/CPE match is not the final NiceOS vulnerability verdict. ## CVE candidates from NVD/CPE | CVE | Severity | CVSS | Match | Confidence | NiceOS status | Fixed in | Existing issue | Reason | |---|---|---:|---|---:|---|---|---|---| | CVE-2024-56737 | HIGH | 8.8 | cpe-range | 80 | needs_triage | | | package version is inside version range | | CVE-2024-45782 | HIGH | 7.8 | cpe-range | 80 | needs_triage | | | package version is inside version range | | CVE-2025-0678 | HIGH | 7.8 | cpe-range | 80 | needs_triage | | | package version is inside version range | | CVE-2025-0689 | HIGH | 7.8 | cpe-range | 80 | needs_triage | | | package version is inside version range | | CVE-2025-1125 | HIGH | 7.8 | cpe-range | 80 | needs_triage | | | package version is inside version range | | CVE-2025-61662 | HIGH | 7.8 | cpe-range | 80 | needs_triage | | | package version is inside version range | ## Descriptions ### CVE-2024-56737 GNU GRUB (aka GRUB2) through 2.12 has a heap-based buffer overflow in fs/hfs.c via crafted sblock data in an HFS filesystem. ### CVE-2024-45782 A flaw was found in the HFS filesystem. When reading an HFS volume's name at grub_fs_mount(), the HFS filesystem driver performs a strcpy() using the user-provided volume name as input without properly validating the volume name's length. This issue may read to a heap-based out-of-bounds writer, impacting grub's sensitive data integrity and eventually leading to a secure boot protection bypass. ### CVE-2025-0678 A flaw was found in grub2. When reading data from a squash4 filesystem, grub's squash4 fs module uses user-controlled parameters from the filesystem geometry to determine the internal buffer size, however, it improperly checks for integer overflows. A maliciously crafted filesystem may lead some of those buffer size calculations to overflow, causing it to perform a grub_malloc() operation with a smaller size than expected. As a result, the direct_read() will perform a heap based out-of-bounds write during data reading. This flaw may be leveraged to corrupt grub's internal critical data and may result in arbitrary code execution, by-passing secure boot protections. ### CVE-2025-0689 When reading data from disk, the grub's UDF filesystem module utilizes the user controlled data length metadata to allocate its internal buffers. In certain scenarios, while iterating through disk sectors, it assumes the read size from the disk is always smaller than the allocated buffer size which is not guaranteed. A crafted filesystem image may lead to a heap-based buffer overflow resulting in critical data to be corrupted, resulting in the risk of arbitrary code execution by-passing secure boot protections. ### CVE-2025-1125 When reading data from a hfs filesystem, grub's hfs filesystem module uses user-controlled parameters from the filesystem metadata to calculate the internal buffers size, however it misses to properly check for integer overflows. A maliciouly crafted filesystem may lead some of those buffer size calculation to overflow, causing it to perform a grub_malloc() operation with a smaller size than expected. As a result the hfsplus_open_compressed_real() function will write past of the internal buffer length. This flaw may be leveraged to corrupt grub's internal critical data and may result in arbitrary code execution by-passing secure boot protections. ### CVE-2025-61662 A Use-After-Free vulnerability has been discovered in GRUB's gettext module. This flaw stems from a programming error where the gettext command remains registered in memory after its module is unloaded. An attacker can exploit this condition by invoking the orphaned command, causing the application to access a memory location that is no longer valid. An attacker could exploit this vulnerability to cause grub to crash, leading to a Denial of Service. Possible data integrity or confidentiality compromise is not discarded. ## Scanner integration / Интеграция со сканером This issue was generated from `niceos_cve_matches` after the SPEC/Forgejo evidence pass. After real creation, this script writes `forgejo_issue_open` rows into `niceos_cve_evidence` and marks the selected CVE rows as `issue_open`, so the next scanner/creator run does not duplicate the issue. ## Maintainer checklist - [ ] Verify whether each CVE applies to the NiceOS build. - [ ] Compare NVD data with upstream/vendor advisory. - [ ] Set final NiceOS status: `affected`, `fixed`, `not_affected`, `false_positive`, `deferred`, or `not_in_cloud_image`. - [ ] If affected, decide update/backport strategy according to package policy class. - [ ] Run package-class-specific build, upgrade and regression tests. - [ ] Add/update `niceos_cve_triage` entry. - [ ] Create `NICE-SA` advisory if a security update is shipped. ## Machine metadata ```json { "cves": [ "CVE-2024-45782", "CVE-2024-56737", "CVE-2025-0678", "CVE-2025-0689", "CVE-2025-1125", "CVE-2025-61662" ], "fingerprint": "59491e4070f5e82b6f36", "generated_at": "2026-05-25T17:44:27Z", "match_ids": [ 1372, 1378, 1379, 1380, 1381, 1385 ], "match_types": [ "cpe-range" ], "package": "grub2", "prompt_version": "niceos_cve_issue_analysis_v2", "statuses": [ "needs_triage" ], "tool": "niceos_cve_create_issues.py", "tool_version": "2.0", "version": "2.12" } ```
sbelikov commented 2026-05-26 11:57:10 +03:00
Author
Owner
Copy link

CVE resolution / Закрытие CVE

EN

Resolved in NiceOS branch niceos-5.2.
Status: fixed.
Fixed in EVR: 2.19.5-2.
CVE: CVE-2024-45782, CVE-2024-56737, CVE-2025-0678, CVE-2025-0689, CVE-2025-1125, CVE-2025-61662.
Source: SPECS/grub2.spec.

RU

Исправлено в ветке НАЙС.ОС niceos-5.2.
Статус: fixed.
Исправлено в EVR: 2.19.5-2.
CVE: CVE-2024-45782, CVE-2024-56737, CVE-2025-0678, CVE-2025-0689, CVE-2025-1125, CVE-2025-61662.
Источник: SPECS/grub2.spec.

## CVE resolution / Закрытие CVE ### EN Resolved in NiceOS branch `niceos-5.2`. Status: `fixed`. Fixed in EVR: `2.19.5-2`. CVE: `CVE-2024-45782, CVE-2024-56737, CVE-2025-0678, CVE-2025-0689, CVE-2025-1125, CVE-2025-61662`. Source: `SPECS/grub2.spec`. ### RU Исправлено в ветке НАЙС.ОС `niceos-5.2`. Статус: `fixed`. Исправлено в EVR: `2.19.5-2`. CVE: `CVE-2024-45782, CVE-2024-56737, CVE-2025-0678, CVE-2025-0689, CVE-2025-1125, CVE-2025-61662`. Источник: `SPECS/grub2.spec`. <!-- niceos-cve-resolution: { "status": "fixed", "fixed_in_evr": "2.19.5-2", "cves": [ "CVE-2024-45782", "CVE-2024-56737", "CVE-2025-0678", "CVE-2025-0689", "CVE-2025-1125", "CVE-2025-61662" ], "source": "SPECS/grub2.spec", "branch": "niceos-5.2" } -->
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
niceos-5.2
cve-grub2-CVE-2024-45782-CVE-2024-56737-CVE-2025-0678
No results found.
Labels
Clear labels   
auto-analysis
Created by niceos_cve_create_issues.py

  
cve
Created by niceos_cve_create_issues.py

  
match-cpe-range
Created by niceos_cve_create_issues.py

  
needs-triage
Created by niceos_cve_create_issues.py

  
security
Created by niceos_cve_create_issues.py

  
severity-high
Created by niceos_cve_create_issues.py

  
source-niceos-scan
Created by niceos_cve_create_issues.py

  
source-nvd
Created by niceos_cve_create_issues.py

No labels
auto-analysis
cve
match-cpe-range
needs-triage
security
severity-high
source-niceos-scan
source-nvd
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
rpms/grub2#1
No description provided.